User registries and repositories
In WAS, a user registry or repository authenticates a user and retrieves information about users and groups to perform security-related functions, including authentication and authorization.The information about users and groups reside within a registry or repository. WebSphere Application Server makes access control decisions using the user registry or repository.
WAS provides implementations that support multiple types of registries and repositories including the local operating system registry, a standalone LDAP (LDAP) registry, a standalone custom registry, and federated repositories.
With WebSphere Application Server, a user registry or a repository, such as virtual member manager, authenticates a user and retrieves information about users and groups to perform security-related functions including authentication and authorization. With WebSphere Application Server, a user registry or repository is used for:
- Authenticating a user using basic authentication, identity assertion, or client certificates
- Retrieving information about users and groups to perform security-related administrative functions, such as mapping users and groups to security roles
Although WAS supports different types of user registries, only one user registry can be active. This active registry is shared by all of the product server processes.
After configuring the registry or repository, specify it as the active repository. Through the administration console, you can select an available realm definition for the registry or repository from the User account repository section of the Secure administration, applications, and administration panel. After selecting the registry or repository, first click Set as current, and then click Apply.
WebSphere Application Server has implemented a user registry proxy by using the UserRegistry interface. However, the return values are little different from the interface. For example, getUniqueUserId returns the uniqueID with the realm name wrapped. You cannot use the return value to pass to getUserSecurityName, as shown in the following example:
// Retrieves the default InitialContext for this server. javax.naming.InitialContext ctx = new javax.naming.InitialContext(); // Retrieves the local UserRegistry object. com.ibm.websphere.security.UserRegistry reg = (com.ibm.websphere.security.UserRegistry) ctx.lookup("UserRegistry"); // Retrieves the registry uniqueID based on the userName that is specified // in the NameCallback. String uniqueid = reg.getUniqueUserId(userName); // Strip the realm name and get real uniqueID String uid = com.ibm.wsspi.security.token.WSSecurityPropagationHelper.getUserFromUniqueID (uniqueID); // Retrieves the security name from the user registry based on the uniqueID. String securityName = reg.getUserSecurityName(uid);You can use a Service Provider Interface (SPI) for this parsing function.
Sub-topics
Standalone custom registries
Related concepts
Tivoli Access Manager integration as the JACC provider